How spyware on rental PCs captured users’ most intimate moments

PC Rental Agent was supposed to stem theft. Instead, it sparked a firestorm.

Enlarge / As Brian Byrd played poker using a PC purchased from an Aaron's rent-to-own store, PC Rental Agent surreptitiously captured this screen shot. It is one of hundreds of thousands of images siphoned by the software.

Byrd v. Aaron's Inc. court filing

On the second-to-last Monday of 2010, Brian Byrd was playing video poker on his Dell Inspiron laptop when someone knocked on the door of his home in Casper, Wyoming. The visitor, who drove a truck from the local Aaron's rent-to-own store that furnished the PC five months earlier, said the 25-year-old Byrd was behind in his payments and demanded he pay up at once. He then brandished a picture that was about to cause a national privacy uproar.

The image showed Byrd on his home couch using the very laptop in question to play online poker. The employee was also privy to a screenshot of the website Byrd's PC was displaying the moment the photo was surreptitiously taken, along with keystrokes he was entering while visiting a website. When Byrd demanded an explanation, the employee, identified in a police report as 24-year-old Christopher Mendoza, said he wasn't supposed to answer. But he went on to disclose that the PC contained software that allowed Aaron's employees to track its physical location and remotely activate its webcam and capture screenshots and keystrokes. Mendoza, according to court records, left the premises after Byrd produced a copy of a receipt showing the laptop had been paid for in full on October 1.

After Byrd discussed the encounter with his wife Crystal, the couple recalled several recent occasions in which the computer had exhibited odd behavior. For the past three weeks or so, they told a police investigator, the laptop displayed a mysterious screen that prompted them for their name, address, phone number, and other details. More troubling was the light next to the webcam that was inexplicably illuminated even when neither of the Byrds was shooting video or photos. The couple soon realized that for more than a month, someone had been using the laptop to remotely spy on them. Nowhere in the terms of the rental agreement the Byrds signed was there any mention that the machine could be remotely monitored.

Adding to the couple's outrage was the recollection from two days earlier, on one of the occasions when Crystal saw the mysterious light. About to take a shower, she had been wearing just her underwear when she decided to quickly hop online to check her college course grades.

"The Byrd's were upset that their privacy had been intruded on and someone was likely looking at C. Byrd while she was undressed," a Casper Police officer identified as L. Starnes wrote in the report. "The Byrd's [sic] wanted to know why Aaron's was using software to look at them when the computer was paid off."

Rent to be pwned

Brian and Crystal Byrd weren't the only ones interested in the secret spy feature. In September, the US Federal Trade Commission secured an agreement that settled accusations that seven rent-to-own (RTO) stores and a software design firm surreptitiously captured end users' most intimate moments. The charges of unfair and deceptive gathering of consumers' personal information stemmed from the use of PC Rental Agent, a software package that is also the subject of a federal lawsuit accusing Pennsylvania-based DesignerWare, the rent-to-own stores, and their corporate parent of violating federal wiretap statutes.

As its name suggests, PC Rental Agent was designed to streamline the administration of computers offered by rent-to-own stores, which sell or rent furniture, appliances, and other merchandise to consumers, often in exchange for weekly payments until they are paid off. By default, the program includes functionality that allows store employees to wipe PC hard drives at the press of a key. The feature is used to permanently remove confidential data left by one customer before the machine is given to a new customer. PC Rental Agent also includes a "kill switch" that allows computers to be remotely disabled. Store managers can invoke the switch in the event that the machine is stolen or a customer fails to make payments as promised. Activating the feature makes the PCs unusable, in theory creating an incentive for delinquent end users to pay up.

As the Byrds learned first-hand, the program included yet another feature: a backdoor that allowed a store manager to remotely install a powerful spyware module that can surreptitiously track the location of the PC, collect pictures every two minutes of whoever was in front of the PC's built-in webcam, and capture keystrokes along with screenshots of whatever was being displayed on their monitors. When activated, this so-called "Detective Mode" operated at various levels. The first siphoned a screenshot and 30 characters worth of key strokes every two minutes for an hour. It then used DesignerWare servers to attach the data to e-mails that were sent to a designated manager—dubbed the "master account holder" in Designerware parlance—at the RTO store that issued the machine.

A second level collected a screenshot and keystrokes every two minutes until a command was issued for the collection to stop. A third level worked the same as Level 2, except that it snapped a picture of whoever happened to be in view of a PC's built-in webcam. It also displayed a fake software registration screen that prompted end users for personal information. Detective Mode had been updated in September, 2011 to make it possible to pinpoint a PC's geographic location by collecting the machine's IP address and the names of nearby wireless networks.

According to court records, a training manual DesignerWare provided its customers contained an admonition that said: "Caution, using Level#3 (prompting of the webcam) may alert the user because most webcams have a light that will flash briefly when activated. Also, prompting for information may make them suspicious. Therefore, it is best to try the less intrusive methods first (Level# 1 & 2)."

Nowhere in the manual is there any advice that the customers should be notified that PC Rental Agent can be augmented to surreptitiously spy on whoever is using the PC.

According to court documents, Detective Mode was surreptitiously loaded onto the Byrds' laptop no later than November 16, 2010. On 347 occasions on 11 different days between then and December 20, it collected webcam images, communications, and screenshots and zapped them by e-mail to a manager at an Aaron's Sales and Leasing store located just five miles from the Byrd's home. Within hours of the encounter with Mendoza, the Byrds reported the secret monitoring to the Casper Police Department. Five months later, they filed a civil complaint in federal court in the Western District of Pennsylvania that seeks class-action status, so other customers may also join the action.

No one claims to know how many PCs were monitored by PC Rental Agent. In the six months prior to the May 2011 filing of the complaint—which is all the data DesignerWare officials claim to have—the firm received requests to install Detective Mode on 650 computers leased by stores owned by Aaron's Inc. Sales and Leasing, according to sworn testimony provided in the case. That's about 0.6 percent of the 92,000 Aaron's PCs that used the software. The figures don't include PC Rental Agent-equipped machines leased by other companies or that used the software in the previous five-and-a-half years that it was available. In all, about 500 individual Aaron's stores in 48 states licensed the program.

In sworn testimony, DesignerWare cofounder Tim Kelly—who is also the software developer who wrote the code for PC Rental Agent and its Detective Mode module—said he never required licensees to disclose the Detective Mode capabilities to their customers. During the same May 2011 hearing, he went on to acknowledge the following response, posted to the DesignerWare website, to a question asking whether customers should be notified of PC Rental Agent:

That's up to you. Some rental dealers like to make renters aware thinking it will deter them from forcing them to activate the agent, others don't reveal it." But he went on to say he required customers in his stores to sign an addendum. It stated: "You also explicitly acknowledge, understand and agree that if the computer is reported as stolen, lost or missing or if your rental contract expires, _______________ may install a monitoring/tracking component on the computer which is intended to furnish photographic and other information concerning the location and user of the computer solely in an attempt to locate and recover the computer.

The allegations contained in the complaint quickly got the attention of officials at the FTC and touched off a national debate about computer privacy.

98 Reader Comments

I'm glad the guy's sleazy corporation is in bankruptcy court, but I'm getting real tired of the FTC and other government watchdogs getting settlements instead of convictions. The guy was little better than a botnet operator; he should serve hard time. So should the Aaron's employees who used the software.

Overnight, DesignerWare revenue—which hit $650,000 in 2010 and was on track to reach $800,000 the following year—collapsed when 45 percent of his customer base defected. The company is now in Chapter 11 bankruptcy proceedings as it tries to reorganize its debts.

Not good enough. That company needs to disappear. The disgusting part is that 55% of his customers are big enough scumbags that they didn't also run for the door. Hope they all spend the next 10-15 years in court.

I'll give Designerware some credit on the fact that they're creating a tool that allows businesses to track assets that are deemed stolen. The problem is, the Hertz analogy only partly works; Hertz can't take naked pictures of you, or capture your SSN or other PII and email it (plaintext I would assume). So I understand their "we're just a software company" argument, but they allowed the collection of too much data to avoid some culpability.

Aaron's, and the other rental chains should probably be hit hardest in this case. They're the ones who may/may not have actually informed purchasers of what was happening, and if "loss prevention" people falsely stated that laptops were stolen so the detective mode could be activated, that's fraud.

Bottom line, these rental companies do need a way to track stolen equipment. On the other side, people should be properly informed of the tracking options the rental company has, and the software would have to be removable after the payments are completed.

If these items are lost or stolen, it should be the price of doing business for these places. If they can't sustain the losses, then they shouldn't offer the items for rental. There is no excuse for that level of tracking software.

I'll give Designerware some credit on the fact that they're creating a tool that allows businesses to track assets that are deemed stolen. The problem is, the Hertz analogy only partly works; Hertz can't take naked pictures of you, or capture your SSN or other PII and email it (plaintext I would assume). So I understand their "we're just a software company" argument, but they allowed the collection of too much data to avoid some culpability.

Aaron's, and the other rental chains should probably be hit hardest in this case. They're the ones who may/may not have actually informed purchasers of what was happening, and if "loss prevention" people falsely stated that laptops were stolen so the detective mode could be activated, that's fraud.

Bottom line, these rental companies do need a way to track stolen equipment. On the other side, people should be properly informed of the tracking options the rental company has, and the software would have to be removable after the payments are completed.

There were already solutions to this problem, though. Things like Lojack for Laptops have been around for years and do not actually violate the privacy of the user to this degree (and probably work better than this software for their intended purpose, Lojack has BIOS hooks and is fairly difficult to remove). It looks like the guy was encouraging use of this" detective mode" and there's really no defense for that.

As you point out: if I rent a laptop and then stop making payments, you certainly have the right to locate and repossess the laptop. No part of that equation gives you the right to take screenshots of what I am doing or webcam shots of my personal life.

From a business legal perspective, I don't understand how anyone, specifically the person/people that wrote the software, did not see this as potentially litigious. Even if you put in an "addendum" into the rental agreement and a EULA-type screen when first booting the computer, does that protect you from HIPPA violations? The fact that Ms. Byrd was apparently logging into a medical employer's website might suggest she had access to medical records. And the fact that keystrokes were being sent as plaintext through email is another red flag.

Just terrible practice from a software developer's perspective, if nothing else.

If these items are lost or stolen, it should be the price of doing business for these places. If they can't sustain the losses, then they shouldn't offer the items for rental. There is no excuse for that level of tracking software.

Agreed. If you don't want items such as laptops going missing as part of the rental business, then maybe the rental business should not be offering those items.

I can understand their need for some kind of tracking software, albeit with clear disclosure to the renter, however this DesignerWare collected information that should never have been collected. Keystrokes, screenshots, and live pic capturing are a huge no no when it comes to this kind of tracking (most folks call it spyware), and I think the kill switch it was initially intended to be would have been sufficient.

Sure it sucks to have your 'customer' throw the item away or reinstall the OS, but that's the price of doing that kind of business, and I do believe there are other means to recover the property or at the least restitution for the lost item, notably small claims court.

The way this tracking software operated just seems to me that these RTO companies were trying to recover their property without doing it legally.

Yet another reason to avoid rent-to-own stores. I don't have too much of a problem with the stores installing software that could be used to assist in stolen goods recovery (a simple report-back of the current IP address would tell the store more than they needed), but cameras and keyloggers are going to far. I really hope it doesn't set a precident given most people are using a rent-to-own plan on their smartphones these daysThe answer at the end of the day is to make the technology cheaper. The article said they paid out almost $950 for the PC, and I'm sure they didn't do much that stressed it out. Imagine if they just had a Raspberry Pi and a cheap monitor for less than $200 that did 99% of what they needed.

The fact that the repo man showed up at the door with pictures taken clandestinely from the computer’s webcam is proof enough that Aaron’s intended to use the embarrassing or incriminating data as leverage, and that feels a lot like blackmail; now they just one small step away from full blown criminal intent.

What businessman in their right mind would think that was a good idea though? The last thing in the world I’d want my employees to have is naked pictures of my customers, their personal health information, bank account data or Social security numbers. Who is going to be blamed when that information leaks out into the wild?

There are already firmware "kill-switches" for several modern BIOS's. That, in addition to an embedded low power GPS unit (capable of running off the CMOS battery if necessary) would be sufficient, I imagine.

DesignerWare dug it's own grave, as they should have known better when they were designing the software in the first place.

I have zero problem with them recording IP address and wireless network data to try to track down lost/stolen laptops that they own. The killswitch is fine too.

However key-logging and webcam spying takes it way too far. That's an unconscionable invasion of privacy. It doesn't matter that they only supposedly use it when the laptop is stolen, they are going to unavoidably make mistakes and spy on paying customers.

Hertz doesn't install cameras and microphones in their cars that monitor what you do inside them, do they? They probably have a lojack, and that's fine, and it is enough.

If a laptop is reported as stolen by a user to RTO then shouldn't RTO file a police report? After all it is the job of the police to recover stolen property and the detective mode software would be used by the police to track the GPS location of the device. Then in the case of delinquent users simply repossess the computer. Get a court order and have a local sheriff accompany a repo agent to take the machine back. Isn’t this how things are supposed to work?

"PC Rental Agent also includes a "kill switch" that allows computers to be remotely disabled. Store managers can invoke the switch in the event that the machine is stolen or a customer fails to make payments as promised. Activating the feature makes the PCs unusable, in theory creating an incentive for delinquent end users to pay up.

If you hide the existence of a "kill switch" (as Aaron's apparently did) until after the person is already late on their payments, you've missed the point: Kill switches should be used like a nuclear deterrent--lay it out in bold print and the customer will be inclined to keep current on the payments because they know that they do not have the option to use the computer otherwise....

What the employees of the RTO stores were doing was absolutely wrong, but the end result will force the cost of rentals up so high (to pay for the few crooks) that rest (good people) will no longer be able to afford to rent a laptop.

After all is said and done, everyone except the crooks will be the losers and, once again, the crooks get off as if they won the lottery (high jury award). Maybe a good resolution to this is to give the alleged crooks $1 in damages so they don't profit from their crime, but force the RTO to either stop using, or severely modify the way they're using these programs. Clearly, disclaimers should be used and renters should know the capabilities of the tracking programs.

You do realize that the people who used RTO pay 200-300% premium for these items right?

They paid a single payment of almost $950, that wasn't their only payment, and I guarantee you they likely paid several more hundred dollars on top of that single payment.

There was a case where software was being placed on high school laptops. The principal of the school then noticed a girl who was "Acting Inappropriate" and wanted her punished for it. Which then made parents ask how he knew she was doing what she was doing.

So pretty similar, only it involved seeing minors undressed. Although it sounds like Aaron's also had photos of minors.

The fact that the repo man showed up at the door with pictures taken clandestinely from the computer’s webcam is proof enough that Aaron’s intended to use the embarrassing or incriminating data as leverage, and that feels a lot like blackmail; now they just one small step away from full blown criminal intent.

If incriminating pictures were taken to the police and charges were filed I think this would be going very differently. But RTO places are as seedy as their worst customers.

You do realize that the people who used RTO pay 200-300% premium for these items right?

They paid a single payment of almost $950, that wasn't their only payment, and I guarantee you they likely paid several more hundred dollars on top of that single payment.

Absolutely. Never said RTO made any financial sense at all. In some cases, good people are forced to use them. Sad they're so badly abused, but there are a lot of them out there based on the volume that keeps RTO in business.

Very.It's very difficult to prove criminal intent, so you can still get away with this if you can afford the legal fees and token payments to the victims.

Secretly snapping tens of thousands of images of children in their beds, in the shower, getting dressed in the privacy of their bedrooms? In most parts of the civilized world this is called producing child pornography.

Yet another reason to avoid rent-to-own stores.... ...The answer at the end of the day is to make the technology cheaper. The article said they paid out almost $950 for the PC, and I'm sure they didn't do much that stressed it out. Imagine if they just had a Raspberry Pi and a cheap monitor for less than $200 that did 99% of what they needed.

I have a friend who uses rent to own. The idea of saving a few hundred dollers and buying outright is a concept beyond her grasp. She was making weekly payments of about $13.50 (plus taxes) for 36 months before she owned it. I took her to Walmart and showed her a laptop that was better than what she was using for about $300, and that if she would just add some money each month to a gift card, that she would be FAR ahead of the cost of an RTO laptop. So even though she was going to pay $2,100 for a $250 laptop, she likes making weekly payments.

Very.It's very difficult to prove criminal intent, so you can still get away with this if you can afford the legal fees and token payments to the victims.

Secretly snapping tens of thousands of images of children in their beds, in the shower, getting dressed in the privacy of their bedrooms? In most parts of the civilized world this is called producing child pornography.

No problem in Pennsylvania though.

No problem in America, you mean. Any entity that contributes to the Sacred Church of Capitalism, or is a government institution ( as they pretty much are the judge, jury, enforcers anyway ) is exempt from criminal prosecution. They only pay in the recognized currency of Justice, that is, some absurdly low monetary value. Even that is really no payment at all, as its a tax write -off and / or laundered away by other means. The only exception to the rule is when the powers are angered and then an entity or its representative sacrificial lamb will be made an example, as a warning to the rest to support the regime.

Only you, the citizen drone are subject to imprisonment and forfeiture of all you have, including your privacy, dignity, and humanity. You are a tool to be used, exploited, milked, and trained to accept it with a smile.

Very.It's very difficult to prove criminal intent, so you can still get away with this if you can afford the legal fees and token payments to the victims.

Secretly snapping tens of thousands of images of children in their beds, in the shower, getting dressed in the privacy of their bedrooms? In most parts of the civilized world this is called producing child pornography.

No problem in Pennsylvania though.

The only diference is that the Pennsylvania school used Macs. In either case, if it can be proven that files were kept in someone's possession, they can be held liable for possession and possibly distribution of child pornography. However, if it can be proven that the people in the pictures had knowledge they were being photographed (an extreme long shot to be sure), then they can be held liable for production and distribution, instead of Aaron's or the school. I'm surprised the school or the rental agency didn't try this.

What a bunch of creeps. I don't care what anyone says or how supposedly legitimate the reason - it is NOT ok to install spyware onto someone's PC - especially a client - and it is even less ok to then have random employees then able to access that data. Disgusting.

As if Rent-to-Own stores weren't shady enough already. A very good description of the shady practices of these stores can be found in the book Broke, USA: From Pawnshops to Poverty, Inc. - How the Working Poor Became Big Business by Gary Rivlin.

I refuse to deal with any rent to own stores..their employees are nice enough up front but when it comes time to pay they're more like debt collectors and skip tracers...insulting, condescending and downright irritating...I wouldn't cry if this issue drove most of these rent to own chains out of business....as far as I'm concerned they're just a shade short of loan sharks..for furniture and whatnot.

Those "Electrical tape over it when you're not using it" guys looked like conspiracy theorists before, but not now.

Nah...just find out who made the BIOS, and use their tech tricks to get into it and unlock the machine, then wipe the HD and do a clean install of Windows without all the proprietary crap...not only do you get a speed increase but you get rid of the stupid crap they install just so they can advertise..buying a PC from a rent to own place is asking for trouble anyway...how many of these machines were used for less than legal purposes?? I don't want to know.

From a business legal perspective, I don't understand how anyone, specifically the person/people that wrote the software, did not see this as potentially litigious. Even if you put in an "addendum" into the rental agreement and a EULA-type screen when first booting the computer, does that protect you from HIPPA violations? The fact that Ms. Byrd was apparently logging into a medical employer's website might suggest she had access to medical records. And the fact that keystrokes were being sent as plaintext through email is another red flag.

Just terrible practice from a software developer's perspective, if nothing else.

It's my experience that small business owners rarely consider whether they can be sued until the lawsuit comes, and generally blame everyone but themselves for a decision that they made, or attempt to blame & shame the victim to make them go away or look for tricks to get out of paying. It takes an arrogant bastard to lead and run a small company against a pitiless world, for better or worse.

Later on, there might be some perspective and humor about how they screwed up, but they get so emotionally invested into their business that they go on the offensive to a scary degree during the fight.

It strikes me as pretty gobsmackingly important to establish whether the Byrds paid for the laptop. Based on my general view of RTO outlets and their scrupulousness, I'm inclined to believe they did pay for it and the store's contention that it was stolen is either mistaken or dishonest. I also think that a company's implementation of software with such a huge potential downside if it is abused is a ridiculous liability and cannot possibly be worth the risk; and Hittinger's accounts of the store employees' behavior reinforce that assessment.

However, if for the sake of argument we assume that the laptop was not paid for, and that the company knew this for certain, then I can't really get too exercised about the photos, keylogging, etc. One has a right to privacy on a machine one owns, and one has absolutely no such right on a machine one does not own. The rightful owner of the machine has the right to run any damn thing he pleases on his own property, regardless of the preferences of the person operating the computer (and especially if that person came to be operating it against the owner's will).

It might be easier to neglect this when the owner is a company (and especially when it's a company in a relatively unsympathetic market that arguably "preys on" its customers), but then there are cases like this that are basically the same thing. Whether a laptop is stolen via home invasion or via reneging on a rental contract, theft does not transfer ownership of the machine, and I have no problem if the owner decides to use his computer however he wants. One steals at one's own peril.

As I said above, I think the circumstances of this incident indicate that Aaron's is probably not operating within the stolen-goods-only usage guidelines of the software, and that due to the steep consequences and likelihood of abuse it is probably not prudent for them even to try, but supposing that they were able to do so, I can't see what would be wrong with it.

The owner of the chain had a good idea, and, his theory on how it would work sounded good. But, reality ... most of these stores are in lower-income neighborhoods, and the folks they hire are minimum wage lackeys that will abuse any power given them. Some chick comes in to rent a computer, you know damn sure a horny manager that has this kind of power will be queue her computer up asap in order to collect nudes of her if he can.